Marketplace Extensions Vetting Process and Security Model

We get a lot of queries about the extension vetting process we have in Marketplace, as well as the security model for Azure DevOps extensions. Marketplace serves the extension ecosystem for Visual Studio Code, Visual Studio IDE and Azure DevOps; and we strive to make sure that the extensions available in the marketplace are of high quality and are secure. Here are some of the things we do in our pipeline to ensure safety:

  • We perform virus scan on both initial publish and subsequent update of an extension so that you aren’t getting malware from Marketplace. This also includes checking for npm and other dependent packages for known vulnerabilities like this.
  • We perform content scan on both initial publish and subsequent update of an extension so that you aren’t getting adult, offensive, CSAM (child sexual abuse material) and terrorist content from Marketplace.

Also, extensions can only operate within the scope and permissions it has been granted. For example: an extension which has only read permissions on work items cannot modify your features, bugs or any other type of work item. For Azure DevOps extensions, you can review the permissions that an extension requires in the Select Organization step as shown below,

extension permissions

For publishers:

  • Before a publisher can publicly list an Azure DevOps extension in Marketplace, we need to verify them. This requires that they send an email to us from their account and state their social presence (linkedin, twitter, github, organization etc.). This way we know them a little better and also get to understand that it is not a bot publishing an extension.

Apart from the above, we also rely on the community to bubble up quality extensions and report the ones that seem suspicious. We have Q&A and Ratings on each extension so that you can engage with an extension’s publisher(s) and have a meaningful dialogue. You can also use this Q&A capability to understand the software development life cycle practices the publisher follows, their test matrix and exit criteria. Do see what others are asking and if the publisher responds to them soon and in a meaningful way.

I also want to call out a few other important points,

  • There is no formal code review or evaluation process for extensions published to the Marketplace
  • Azure DevOps web extensions execute in the browser (iFrame) and can pull in scripts from other services (i.e. the extension is not limited to only the scripts it included within its package)
  • Azure DevOps web extensions run in isolation in the browser (a sandboxed iFrame) which prevents them from accessing Azure DevOps/TFS data or APIs they are not approved to access. You may have noticed that the admin is prompted to approve permissions when installing an extension that requires new permissions (e.g. “read only access to work items”). The extension is unable to do more than what it is authorized for at install time (and beyond what the current user of the extension is able to do). One way to protect yourself here is to carefully analyze the scopes being requested by the extension. If something doesn’t seem right, don’t install and contact vsmarketplace at microsoft dot com
  • There is no way for a web extension to install or run any code directly on the Azure DevOps or TFS servers. Build and Release tasks though, are a little different. These tasks get downloaded on the agent machine (which can be hosted or on-premise) and get executed. These tasks can download and invoke other code. To know more about the agent security model see this https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/pools-queues?view=azure-devops#security
  • Extensions should continue working after the sprintly Azure DevOps deployments and TFS upgrade since we maintain backward compatibility for all APIs that an extension can call. Any data stored by the extension (in a service provided by Azure DevOps and TFS) is not touched during these deployments/upgraded.

If you still have concerns with security, we recommend you install the extension on an isolated organization first to rest your concerns. This can be an internal test organization. After you’re satisfied with your testing, you can proceed to install the extension on your production organization. If you see compatibility issues after an update of the extension, please reach out to the publisher and report the same.

Hope all this information was helpful. Please reach out to vsmarketplace at microsoft dot com in case you have any more questions!

If you see a suspicious extension on Marketplace, do report it to us at vsmarketplace at microsoft dot com. You can also use the ‘Report Abuse’ link on the extensions details page to email us.

 

 

 

 

 

 

 

Ciao.

Windows Phone Mango Developer Tools

The consumer side of Windows Phone Mango was unveiled yesterday by Microsoft. It brings in some great new features like multitasking, IE9, fast application switching, maps, web marketplace etc to name a few. I was also impressed with enhancements to bing like local scout, bing vision and bing voice. With the NoDo update fiasco now behind us, I think the expectations are set just right for the ‘mango’ update which will be coming this fall ;) One thing that annoys me is the feature-market fragmentation that’s happening with Windows Phone. What’s the deal with making some features available only to a few markets! Just look at the way zune services and their features are split region-wise. It’s horrible and needs fixing.

Nothing was mentioned about Microsoft’s ad framework, PubCenter, and its expansion plans. It’s been close to 8 months since windows phone came out and PubCenter has expanded its market by zero, zilch, nada! There were talks a while back that it will be made available in europe, I don’t know how that’s working out. Hey you, make it global already! And show us some pay-per-impression love.

Tools

You can download the Windows Phone Developer Tools 7.1 Beta from here, (web installer) http://www.microsoft.com/downloads/en/details.aspx?FamilyID=77586864-ab15-40e1-bc38-713a95a56a05&displaylang=en

And if you don’t believe in web installers, here’s the link for downloading the ISO file, http://download.microsoft.com/download/0/0/D/00D22BA8-E716-4272-93D8-C4D98F0567AE/WPDT_v2_Beta_en1.iso

Aaron Stebner’s post contains some more links and other useful information, do take a look, http://blogs.msdn.com/b/astebner/archive/2011/05/24/10168008.aspx

And remember to install Visual Studio 2010 SP1 first.

You have a good day while I watch the ISO getting sucked from the interwebs at mind-numbing speeds.  /s

Until next time…

Windows Mobile 6.x Application Submissions to Stop on July 15, 2011

Got a mail today from the Windows Phone Marketplace team that application submission to Windows Mobile 6.x marketplace will be stopped effective July 15, 2011. Existing apps will stay on the marketplace, users (whatever remains) will be able to download your apps and more importantly developer payouts will continue to happen as usual.

Here is the complete text of the mail,

——————–

May 16, 2011
Dear Windows Marketplace for Mobile Developer,

We are excited about the momentum we have with Windows Phone. Since we launched Windows Phone last fall, technical reviews have been very positive and, most importantly, customer satisfaction has been extremely high. Moreover, our Windows Phone Marketplace continues to grow at a fast pace. It now features more than 15,000 apps and games and there are over 40,000 registered developers.

At MIX we announced that in May we will release the beta version of the Windows Phone Developer Tools for the next version of Windows Phone, code-named “Mango,” which we are still on track to do. The Mango release will be made available to users later this year, and it represents the next step in our continued focus on advancing the Windows Phone platform and expanding the opportunity for developers.

To innovate faster on the Windows Phone Marketplace, we are scaling back our investments in the Windows Marketplace for Mobile service. We are sharing this plan with you, in advance, so that you can make thoughtful plans and preparations.

  • App Submission and Management. On July 15, 2011, we will no longer be accepting new Windows Mobile 6.x applications or application updates. In addition, it will no longer be possible to modify prices, metadata, or other information. However, you will still be able to remove your apps by contacting support.
  • App Distribution. Even though app submission will stop on July 15, users will still be able to purchase and download your Windows Mobile 6.x applications through the Windows Marketplace for Mobile.
  • App Reporting. Sales and download reports will continue to be available for your Windows Mobile 6.x applications through the App Hub after July 15.
  • Developer Payouts. Developer payouts will continue to be processed in accordance with the provisions of the Windows Phone Marketplace Application Provider Agreement.

Additional information regarding the scaling back of our investment in the Windows Marketplace for Mobile will be shared over the coming months as plans become finalized.

We would like to thank you for being part of our Windows Marketplace for Mobile developer community, and we look forward to helping you build more Windows Phone applications.

For more information, please visit the App Hub Forum. For further assistance, please contact support directly.

Thank you for your support,

The Windows Phone Marketplace Team

——————–

Rest in peace, windows mobile.

A tale of two dev accounts

You probably remember my rant from a while back about my windows mobile developer account having problems with the new AppHub, well, there have been few developments and I thought I should share it with you.

First up, the issue isn’t fixed yet. I still cannot login to AppHub using my windows mobile 6.x developer account and can’t view details of my Minesweeper app. Who knows how many copies its sold. I had numerous exchanges with Microsoft’s support team on the AppHub forums and via email as well (support ticket), but somehow we never managed to get to the root of it. In fact, the support team itself grew so tired of the problem that they suggested I create a new dev account.

I grew impatient, and it was really frustrating to have an app ready for submission but not being able to do anything with it. Eventually, the frustration had to show somewhere, and it was on this forum thread

Prabhu Kumar in reply to Nick

Nick, I feel for you and totally understand the frustration. Since day one I have been getting the XBOX profile linking error,

We encountered an issue connecting your App Hub account with your Xbox Live Profile.
Please visit Xbox.com and update your contact information.
After you have updated your contact information, please return to the App Hub (https://users.create.msdn.com/Register) to continue.

I have an app published on the Windows Mobile 6.x marketplace since Aug, now I can’t view the details of this app.
I completed work on my WP7 application 1.5 months ago and the first version is ready for submission to marketplace, only if I can login. You can imagine how frustrating all this can be, the issue has taken far too long to be fixed, this has drained all my motivation.

I have exchanged numerous mails with Microsoft support team on this issue, and from the looks of it they really are trying their best, unfortunately, their best is not good enough for some of us. During the first week of December I was told that there would be an update happening to AppHub around mid of December. I was hoping that the issue would be fixed but it wasn’t. After the update the only change I notice is that the xbox.com link on the error page now takes me to the correct link. Previously, this link used to take me to the 404 page you mentioned above.

Out of desperation, I am now considering creating another developer account on AppHub with a new live id, even this I am not 100% sure will work.

I asked the support team when the next update to AppHub was planned and got this reply,
We do not have  release date to announce for the next App Hub update at this time. In regards to the login issue you are experiencing at this point the only solution would be to create a new account with a different live ID but make sure to go to xbox.com before hand to get all the information in order on that side.

I know it’s an extra $99, and not that I can’t afford it but it doesn’t feel right and I shouldn’t have to be doing it in the first place. I have lost all hope of this issue being resolved.

I went ahead and created a new dev account, the id verification was in progress when Shaun Taulbee of Microsoft, who has been really helpful in the forums, replied saying,

If you find it necessary to pay again to create a new account due to a Microsoft problem, send in a support request asking for a refund and we’ll review it (and likely approve it given the circumstances).

The thought of refund made me happy, but I had my doubts. So once my second account was verified by Geotrust I applied for a refund through the developer dashboard, by creating a support ticket. Couple of days later I got an email from Microsoft saying that the refund had been approved! yay! Few days and the refund showed up on my bill,

ms_refund

Well, thank you Microsoft, it means a lot. I am glad it’s over now. The new account works flawlessly. I would still like to get my first account working again and look at my app numbers for Win Mo 6.x, and probably transfer the credits to the new account somehow, but I’ll save it for another day. If you’ve had similar problems with the AppHub, and had to create a new account to submit your app, I suggest you contact the support team and get your dollars refunded!